---
title: Configuration
---

``` yaml
log:
  level: debug
  # proxy for another registry(eg: docker.io) log level
  proxyLevel: info

database:
  # The database type to use. Supported types are: sqlite3, mysql, postgresql
  type: sqlite3
  sqlite3:
    path: sigma.db
  mysql:
    host: localhost
    port: 3306
    user: sigma
    password: sigma
    dbname: sigma
  postgresql:
    host: localhost
    port: 5432
    user: sigma
    password: sigma
    dbname: sigma
    sslmode: disable

redis:
  # redis type available: none, external. Following all of redis config just use reference here.
  # none: means never use redis
  # external: means use the specific redis instance
  type: none
  url: redis://:sigma@localhost:6379/0

badger:
  # badger is used to implement lock and cache in a single-node mode.
  enabled: true
  path: /var/lib/sigma/badger/

cache:
  # the cache type available is: redis, inmemory, badger
  # please attention in multi-node mode, you should use redis
  type: badger
  inmemory:
    prefix: sigma-cache
    size: 10240
  redis:
    prefix: sigma-cache
    ttl: 72h
  badger:
    prefix: sigma-cache
    ttl: 72h

workqueue:
  # the workqueue type available: redis, kafka, database, inmemory
  type: redis
  redis:
    concurrency: 10
  kafka: {}
  database: {}
  inmemory:
    concurrency: 1024

locker:
  # the locker type available: redis, badger
  type: badger
  badger:
    prefix: sigma-locker
  redis:
    prefix: sigma-locker

namespace:
  # push image to registry, if namespace not exist, it will be created automatically
  autoCreate: false
  # the automatic created namespace visibility, available: public, private
  visibility: public

http:
  # endpoint can be a domain or domain with port, eg: http://sigma.test.io, https://sigma.test.io:30080, http://127.0.0.1:3000
  # this endpoint will be used to generate the token service url in auth middleware,
  # you can leave it blank and it will use http://127.0.0.1:3000 as internal domain by default,
  # because the front page need show this endpoint.
  endpoint:
  # in some cases, daemon may pull image and scan it, but we don't want to pull image from public registry domain,
  # so use this internal domain to pull image from registry.
  # you can leave it blank and it will use http://127.0.0.1:3000 as internal domain by default.
  # in k8s cluster, it will be set to the distribution service which is used to pull image from registry, eg: http://registry.default.svc.cluster.local:3000
  # in docker-compose, it will be set to the registry service which is used to pull image from registry, eg: http://registry:3000
  # if http.tls.enabled is true, internalEndpoint should start with 'https://'
  # eg: http://sigma.test.io, http://sigma.test.io:3000, https://sigma.test.io:30080
  internalEndpoint:
  tls:
    enabled: false
    certificate: /etc/sigma/sigma.tosone.cn.crt
    key: /etc/sigma/sigma.tosone.cn.key

storage:
  rootdirectory: ./storage
  type: filesystem
  filesystem:
    path: /var/lib/sigma/oci/
  s3:
    ak: sigma
    sk: sigma-sigma
    endpoint: http://127.0.0.1:9000
    region: cn-north-1
    bucket: sigma
    forcePathStyle: true
  cos:
    ak: sigma
    sk: sigma-sigma
    endpoint: https://hack-1251887554.cos.na-toronto.myqcloud.com
  oss:
    ak: sigma
    sk: sigma-sigma
    endpoint: http://127.0.0.1:9000
    forcePathStyle: true

# Notice: the tag never update after the first pulled from remote registry, unless you delete the image and pull again.
proxy:
  enabled: false
  endpoint: https://registry-1.docker.io
  tlsVerify: true
  username: ""
  password: ""

# daemon task config
daemon:
  builder:
    image: sigma-builder:latest
    type: docker
    docker:
      sock:
      network: sigma
    kubernetes:
      kubeconfig:
      namespace: default
    podman:
      uri: unix:///run/podman/podman.sock

auth:
  anonymous:
    # anonymous will disabled if auth.anonymous.enabled set false
    enabled: true
  admin:
    username: sigma
    password: sigma
  token:
    realm: ""
    service: ""
  jwt:
    ttl: 1h
    refreshTtl: 72h
    # generate the key with: openssl genrsa 4096 | base64
    privateKey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSB"
  oauth2:
    github:
      # github login will disable if auth.oauth.github.enabled set false
      enabled: false
      clientId: "e5f9fa9e372dfac66aed"
      clientSecret: "49ab83f4d0665f8579516f7a3f2f753a6a57189b"
    gitlab:
      # gitlab login will disable if auth.oauth.gitlab.enabled set false
      enabled: false
      clientId: "4df6efcf8c319efb73e8116c72d881c559ccaf822096220a13cee3047b05ed70"
      clientSecret: "94ceddf22fc1560f33caec6be32c9c61a91719bd2df3b5127ccd43187192f95b"
```
